Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Advisory Services

Published byLiana Budiono Modified over 6 years ago

Similar presentations

Presentation on theme: "Risk Advisory Services"— Presentation transcript:

1 Risk Advisory Services
Managing Cybersecurity Risks for Non-Profits Jeff Olejnik, Partner Risk Advisory Services

2 Agenda Cybersecurity Threat Landscape Business Risks
Top Hacker “Attack” Techniques 12 Tips to Protect Your Organization Tools and Resources Q&A

3 Wipfli Cybersecurity Practice
Comprehensive Governance, Risk, Compliance, and Testing 3

4 Notable Data Breaches

5 Business Has Changed Compliance Outsourcing Big Data Mobile apps BYOD

6 Cyber Risk Trends Big business – More highly skilled hackers (cyber gangs/organized crime) who are financially motivated Cyber crime is currently outpacing traditional crime in the United Kingdom in terms of impact, spurred on by the rapid pace of technology and criminal cyber capability, according to the UK’s National Crime Agency The bad guys are getting better Tool kits Crimeware as a service

7 Cyber Risk Trends New platforms create new cyber attack opportunities
The Internet of Things (IoT) Cars Smart home devices (e.g., security systems) Medical devices (e.g., scanners, insulin pumps, implantable defibrillators) Embedded devices (e.g., webcams, Internet phones, routers)

8 Casino Fish Tank Hack Hackers compromise vulnerability in an Internet-enabled tank Moved laterally to gain access to “high-roller” database Exfiltrated data to server in Finland

9 Small Does Not = Safe

10 Cybersecurity Business Risks
Damage to Critical Business Relationships Unauthorized access to client data could be devastating to relationships. Impact of Breach on Growth Strategy A breach that involves your donor database could derail capital campaigns and future giving from loyal donors. Risk to Operations & Service Operational stability could be impacted by a cyberattack and impact delivery of service and care. Brand & Reputational Risk Current security posture could be embarrassing to executives and may damage the our brand. Compliance & Regulation Non-compliance with client and prospect cybersecurity requirements would impact ability to compete.

11 Account Hijacking Cycle Repeats Hacker Engages
Mules receive stolen funds and retain percentage Received by Victim or Victim Visits a Legitimate Website Attachment contains malware, or malicious script is on website Mules Cycle Repeats Mules Workstation Compromised Victim is infected with credentials-stealing software, and banking credentials are stolen Stolen Funds Mules Money Transferred to Fraudulent Companies Hacker Engages Hacker receives banking credentials, remotes into victim’s computer via a compromised proxy, and logs on to victim’s online banking service Money laundered Money moved offshore

12 Cyber Risk Trends – Business Email Compromise (BEC) Scams
Attacker targets a senior executive (e.g., CEO, CFO) Attacker gains access to victim’s account or uses a “look- alike” domain to send a message tricking an employee to perform a wire transfer Wire transfers are typically $100,000 or higher Businesses should adopt two-step or two-factor authentication for

13 Cyber Risk Trends – Ransomware Example
Employee opens Personal files (and data on shared drives) encrypted Ransom demand to provide key to decrypt Ransom demand increases after 72 hours pass Ransomware increased more that 90% in 2017

14 Cloud Security Use multi-factor authentication
Use O365 cloud app security Enable mailbox audit logging Enforce password complexity Configure Office 365 ADFS to be “Trusted” or “Closed”

15 Accounts Payable Change Scam
AP department contacted by fraudster appearing to be client to update ACH payment instructions via , letter, or telephone. Out-of-band authentication to verify the legitimacy of request should be in place.

16 Extortion Hello Jeff Olejnik I want you to take this letter seriously.
I have been thinking for a long period of time whether it's worth writing this letter or not to you and decided that you have the right to know. I will be short. I've got an order to kill you, because your activity causes trouble to a particular person. I studied you for a long period oftime and decided to give you a second chance, despite the specifics of my job, the rules of which don't allow me that, as this will kill my reputation (more 9 years of perfect order executions) in my circles. But i decided to break a rule since this is my last order (hope so).  In general, let's Get down to business. I want you to pay 0.8 Btc. I only accept Bitcoin. Information how to forward you can find in Google. Here are my payment details below:  1JWEzqR3fSoiXaGF22dCXQmr5f3e3A8Zk9  When i'll receive funds I will send you the name of the man order came from, as well as all the evidence i have. You can use this information with the authorities. I would not recommend you to call police, because you have a little time (two days) and the police will not have enough time to investigate this matter. Responding to this letter doesn't make any sense, because i use one-time mailbox, because i care about my anonymity. I'll let you know as soon as i'll getfunds. I sincerely regret that you became my target.

17 I know what you’ve been doing online!
 I have your password “As you may have noticed, I sent you an from your account. This means that I have full access to your account: At the time of hacking your account had this password: erinXXXXX” I have dirt on you! “At the moment, I have harvested a solid dirt... on you... I saved all your and chats from your messangers. I also saved the entire history of the sites you visit.  Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :) Pay me or else! Transfer $838 to my Bitcoin cryptocurrency wallet: 1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3

18 Recent Events Bluekeep – June 17, 2019
According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.[1] After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful. BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.

19 Recent Events Iranian “wiper” attacks - CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. Iranian regime actors and proxies are increasingly using destructive "wiper" attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network. CISA Director Christopher C. Krebs – June 22, 2019

20 Rising Costs The total average cost of a data breach was $3.62 million ($141 per record), down 10% from previous year. The size of data breach increased 1.8% to more than 24,000 records. Source: Ponemon Cost of Data Breach Cyber crime will cost businesses over $2 trillion by 2019; 89% of all cyber attacks involve financial or espionage motives. Source: Juniper Research 32% of companies said they were the victims of cyber crime in Source: PwC Economic Crime Survey 2016 Average time attackers stay hidden on network is over 140 days. Source: Microsoft

21 Protect Your Organization!

22 Tip 1 - Know What You Are Protecting
CYBERSECURITY FORUM FOR SENIOR EXECUTIVES Tip 1 - Know What You Are Protecting Customer database Client personally identifiable information (PII) Account information Credit card Driver’s license Intellectual property Business plans Employee records Financial information

23 Tip 2 - Practice Good Security Hygiene
Complex passwords Firewall, Anti-virus, Anti-malware Backup data Patch and update Limit administrator rights

24 Tip 3 - Perform Security Assessment or Penetration Test
If your password is , you deserve to be hacked.

25 Tip 4 - Train Your Employees
You have to learn the rules of the game, and then you have to play better than everyone else. - Albert Einstein

26 Tip 5 - Develop and Test Response and Continuity Plans

27 Tip 6 - Encrypt Whenever Possible
In use, at rest and in transit.

28 Tip 7 - Manage Mobile Devices

29 Tip 8 - Use Multi-Factor Authentication

30 Tip 9: Don’t Skip Detection and Response

31 Tip 10 - Prepare to Respond to Client Requests and Compliance Mandates
CYBERSECURITY FORUM FOR SENIOR EXECUTIVES Tip 10 - Prepare to Respond to Client Requests and Compliance Mandates Security policies SOC 2 reports Due diligence package

32 Tip 11 – Be Proactive with your Board of Directors
Communicate Risk and Strategies Employee Security Training and Awareness Prepare for Board Questions What are our top cybersecurity risks? How are we managing these risks? How are employees and customers made aware of their role related to cybersecurity? Are external and internal threats considered when planning cybersecurity program activities? How is security governance managed at the company? In the event of a serious breach, has management developed a robust response protocol? What cybersecurity insurance is in place, and what does it cover? Report on Progress

33 Tip 12 - Review Cybersecurity Insurance

34 Rapid Cyber Risk Scorecard - Non-intrusive Cyber Risk Scan
Non-intrusive scan Visibility to cyber risk posture First step of Cyber Kill Chain Hacker reconnaissance Fully automated Less than 15% false Positive and Negative 10 Categories DNS Health Security Leaked Credentials IP / Domain Reputation Digital Footprint - Fraudulent Domains - Patch Management Website Security Web Ranking Information Disclosure

35 Vulnerability Databases Hacktivist Shares Social Media
Web DNS FTP SMTP Vulnerability Databases Hacktivist Shares Social Media Internet-wide Scanners Security Services Hacker Sites Leak Sources Public Whois Databases No scan in this area Passive Scan Area

36 Wrap Up and Q&A

37 Tools and Resources 30 Tips in 30 Days e-Book– www.Wipfli.com/30tips
Wipfli Cybersecurity - Weekly Alerts Monthly e-Newsletters / Blogs Ransomware: Avoiding a Hostage Situation - Equifax Data Breach – Is Your Identify at Risk? - StaySafeOnline.org Better Business Bureau – Data Security Made Simpler - FTC Interactive Business Guide For Protecting Data -

38 Contact Information Jeff Olejnik, Partner Wipfli LLP

Download ppt "Risk Advisory Services"

Similar presentations

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
By Ashlee Parton, Kimmy McCoy, & Labdhi Shah

By Ashlee Parton, Kimmy McCoy, & Labdhi Shah
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
The way to avoid being trap into cyber crime. What is cyber crime? The Department of Justice categorizes computer crime in three ways: 1. The computer.

The way to avoid being trap into cyber crime. What is cyber crime? The Department of Justice categorizes computer crime in three ways: 1. The computer.
Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices
Friday, October 23, 2015. Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.

Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.
Https://www.youtube.com/watch?v=1hpU_Neg1KA. INTRODUCTION & QUESTIONS.

INTRODUCTION & QUESTIONS.
CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via email.

CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via .
PROTECTING YOUR DATA THREATS TO YOUR DATA SECURITY.

PROTECTING YOUR DATA THREATS TO YOUR DATA SECURITY.
Understand Protection LESSON 4.2 98-367 Security Fundamentals.

Understand Protection LESSON Security Fundamentals.
Cyber security. Malicious Code Social Engineering Detect and prevent.

Cyber security. Malicious Code Social Engineering Detect and prevent.
Explaining Bitcoins will be the easy part: Email Borne Attacks and How You Can Defend Against Them Karsten Chearis Sales Engineer.

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Karsten Chearis Sales Engineer.
CYBERSECURITY INCIDENCE IN THE FINANCIAL SERVICES SECTOR March 28, 2017 Presented by Osato Omogiafo Head IT Audit.

CYBERSECURITY INCIDENCE IN THE FINANCIAL SERVICES SECTOR March 28, 2017 Presented by Osato Omogiafo Head IT Audit.
3 Do you monitor for unauthorized intrusion activity?

3 Do you monitor for unauthorized intrusion activity?

Similar presentations

Ads by Google